Nice car, but cyber hackers may be doing your steering

By Henry Foy

You are travelling at 70 miles an hour down the motorway. Suddenly, your dashboard goes blank. The horn starts sounding. You push on the brakes but they fail to work. Then the steering-wheel starts to turn by itself.

IN Cyber Security

The terrifying prospect of a uncontrollable vehicle is becoming a palpable danger, as the rapid advancement of technology means more parts of cars are controlled by computers that can be accessed and exploited by potential hackers.

Self-parking systems are designed to make parking easier, but could be used to take control of the car’s steering. Remote key systems should make a car harder to steal, but can also be used to lock a driver inside. And electronically-controlled brakes are meant to make cars safer, but could do the opposite.

“Hacking a car is not that difficult. They are getting increasingly networked,” says Fionnbharr Davies, technical director at Exploitable Labs, a company that helps businesses assess security weaknesses. “Essentially, the more complexity you add into a system, the more vulnerable it becomes,” he adds. “The more that is going on, the more that can go wrong.”

Software experts, academics and professional hackers have shown that with physical access to a car, such as in a mechanic’s garage or a service station, or through MP3 sound files on a CD containing malicious software, data can be uploaded that grants access to outside controllers.

Given that new cars boast a plethora of “connected” applications, from email readers to music streaming services and Bluetooth connectivity, remote access without any physical contact with the car could soon be possible. Some say it already is.

Charlie Miller and Chris Valasek wrote in a paper last year: “Drivers and passengers are strictly at the mercy of the code running in their automobiles and, unlike when their web browser crashes or is compromised, the threat to their physical wellbeing is real.” The cyber security experts describe how they took control of a Ford Escape and a Toyota Prius using software code.

In their study, Mr Miller, who works as a computer security expert for Twitter, and Mr Valasek, the director of security intelligence at IOActive, disabled the brakes and other functions of the cars in a series of tests.

This was supported by a grant from the Defense Advanced Research Projects Agency, part of the US defence department.

The pair took advantage of small electronic control units that are built into virtually every new car and control almost all the vehicle’s systems, from central locking to fuel injection, window opening and climate control.

“The software that is running on [cars] probably has not been thoroughly audited. It’s very fresh,” said Mr Davies. “They have been in their little bubble for quite a while and now they are being exposed to the internet and all that.”

Ford said that while the vehicle was hacked by Mr Miller and Mr Valasek, it required both direct access to the vehicle and the ignition key.

“This extraordinary effort, with direct physical connection to the vehicle, was neither remote nor wireless and does not suggest that Ford vehicles are generally vulnerable to cyber attack,” says Christin Baker, a Ford representative.

“We continuously work to ensure that all our electronic systems have robust security protocols.”

Toyota says it has developed effective firewall technology to prevent remote access to its vehicles, and that “we continue to try to hack our [own] systems”.

But behind closed doors, the car industry is concerned about this new reality and whether it has the ability to stay ahead of potential attack methods, according to numerous officials at carmakers who spoke to the FT.

For a century, carmakers welded together steel and engineered physical parts. However, a new era of consumer technology, and rising competition from companies such as Apple and Google that take an interest in the industry, has forced carmakers to fill vehicles with software and code that can be compromised and with in-car connectivity that provides potential entry points.

More than 100m cars are expected to have some form of connectivity by 2025, according to research by EY, the consultancy.

The attraction to manufacturers is clear: revenues from connected cars are expected to reach $25bn by then, 10 times more than today.

Many carmakers provide as standard “black box” telematics systems that use a long-range wireless link to transmit information about the vehicle in real-time. Others have turned to applications such as those found on a mobile phone to allow drivers to add software to dashboards.

Electronically-controlled systems, such as “steer by wire”, which replaces a physical link between the steering-wheel and the axle with electronic sensors and motors, are only going to become more common. So, too, are cars that can steer themselves.

Harthmuth Hoffmann, head of technology communications at Volkswagen, the world’s second-largest carmaker by sales, says: “In interfacing to smartphones, and in coupling navigation and information systems with driver assistance systems via radio-based communication, the vehicle is being opened increasingly to external software.”

Mr Hoffmann notes that: “This new openness could heighten the risk of cyber crime,” adding that Volkswagen has various levels of security to prevent access to its cars.

Last July, Volkswagen won a court ruling blocking a University of Birmingham academic from publishing research that he said provided the start codes for cars manufactured by the company and which could be used by potential hackers.

Copyright The Financial Times Limited 2015. You may share using our article tools.
Please don't cut articles from FT.com and redistribute by email or post to the web.